in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

DPA Data Controller Penalty: Maximum £500,000 Fine

How Does A Controller Get Served A Fine?

The issuance of monetary fines has a very well-defined process.  First, the ICO conducts an investigation to ensure that it's a type of offence where a fine can be assessed.  If so, the amount is decided upon and a "notice of intent" is served to the data controller.  The "notice of intent", among other things, notifies the data controller that a "monetary penalty notice" is forthcoming.

You might have heard that the ICO can hand out £500,000 fines.  This is a penalty assessed under sections 55A and 55B of the Data Protection Act of 1998 (and introduced by the Criminal Justice and Immigration Act of 2008) and is applicable to data controllers only.  That is, you'll generally see companies, agencies, organisations, etc. being penalised.  However, this does not rule out individuals being fined by that amount.

(Before we continue, it should be noted that there is a difference between a "fine" and a "monetary penalty".  In the strictest terms, the £500,000 penalty is not a fine, the latter being punishment for criminal offences, as the ICO let me know.  Since the layperson does not usually differentiate between the two, I will use the terms interchangeably although the correct term throughout this article and blog really should be "monetary civil penalty".)

In other words, it is assessed on organisations that have registered themselves with the ICO.  If you're acting in the capacity of a data processor but never registered with the ICO, you're probably contravening section 55 of the DPA, Unlawful Obtaining of Personal Data.

However, there are other fines assessable under other sections of the DPA as well that target an individual's wrongdoings.

Maximum £500,000 Fine

Most people don't make it a habit to do so but what happens if you do break the law?  The ICO has the power to punish those who've broken the law.  In fact, as of April 2010, it can assess fines up to £500,000 with very few exceptions:

Except for the Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3) of the Act, the power to apply monetary penalties applies to all data controllers in the private, public and voluntary sectors including, but not limited to: large companies; small businesses; sole traders; charitable bodies; voluntary organisations; Government Departments; and office holders created by statute such as electoral registration officers.

It should be noted, however, that the the maximum amount is relegated to the worst offences.  In fact, a history of ICO fines since it received its power to do so are as follows (up to August 2011):

  • November 2010 - Employment services company A4e is fined £60,000 for the loss of an unencrypted laptop affecting 24,000 people
  • November 2010 - Hertfordshire County Council is fined £100,000 after staff send a fax to the wrong recipients
  • February 2011 - Ealing and Hounslow Councils are fined £80,000 and £70,000 respectively for the loss of an unencrypted laptop affecting 1,700 people
  • June 2011 - Surrey County Council is fined £120,000 for sending sensitive emails to the wrong address

As you can see, the greatest fine to date is £120,000 (as of December 2011.  Here is a list of ICO penalties), implying that the ICO is waiting for the Big One before it hands out a £500,000 fine.  There is some controversy surrounding the above fines, which I'll explore towards the end of this post.

It should be noted that under section 7.4 of "Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998", organizations get an early payment discount of 20% if full payment of the fine is made within 28 calendar days of the penalty notice being served. 

Restrictions

The civil monetary penalties assessed under DPA 55A and 55B can only be levied against a data controller that breaches one or more of the eight DPA principles. Hence, a data breach does not necessarily mean it will incur penalties.

Future Penalties

Furthermore, there might be other types of penalties in the future.  The ICO has penned a number of papers observing that other EU nations' DPA enforcement offices have even more robust powers when it comes to handing out penalties.

In a December 2007 paper titled "DATA PROTECTION POWERS AND PENALTIES: The Case for Amending the Data Protection Act 1998" the Information Commissioner's Office argues that there needs to be a broadening of the ICO's power.  It notes that it is not seeking the ability to handout custodial sentences (i.e., serving time in prison); in the same breath, it notes that such a suggestion could be introduced before parliament.

As it turns out, the Secretary of State has technically had the power to handout custodial sentences since 2008 but so far has not acted on it.  There appears to be mounting pressure to make use of it and take action, however.

Furthermore, it has noted that a 2006 survey resulted in the overwhelming favourable reception to giving the ICO custodial powers.

Is the ICO Targeting Government?

If you take a look back at the history of fines, you'll see that three out of four (or if you prefer, four out of five) fines were assessed on government bodies.  Only one is a private company and has been fined the least; and yet, its breach affect the most people.

Such instances have afforded accusations that the ICO is unfairly targeting government bodies.

 
<Previous Next>

Full Disk Encryption For SMEs: UK Car Mechanic's Laptop Stolen

No Custodial Sentences for UK DPA Breaches

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.